Avoid an out-of-bounds array access in the s_server.

It can be triggered by sending a line to stdin while no connection
is open and then connecting a client. The first SSL_write() fails,
sends SSL_ERROR_WANT_* and then causes a segfault deep down in the
tls stack when accessing &(buf[-1]).

ok beck inoguchi

1 files changed, 3 insertions, 1 deletions

diff --git a/usr.bin/openssl/s_server.c b/usr.bin/openssl/s_server.c
index b397e6966d5..e0838b2b503 100644
--- a/usr.bin/openssl/s_server.c
+++ b/usr.bin/openssl/s_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_server.c,v 1.35 2020/05/13 10:18:03 inoguchi Exp $ */
+/* $OpenBSD: s_server.c,v 1.36 2020/05/23 09:02:02 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1502,6 +1502,8 @@ sv_body(char *hostname, int s, unsigned char *context)
 					ret = 1;
 					goto err;
 				}
+				if (k <= 0)
+					continue;
 				l += k;
 				i -= k;
 				if (i <= 0)